CTX
CTX is a computer worm that was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. CTX is not in the wild. Behavior The worm is received by email similarly to W32.ExploreZip. The attached file is MIME encoded and the name of the file is SETUP.EXE. When the worm is executed and the name of the file is SETUP.EXE (when the filename ends in "P"), it will display the following text in a message box: Cannot open file: it does not appear to be a valid archive. If you download this file, try downloading the file again. Since the CTX virus is activated from the worm, the virus has already infected the machine when the message above appears on screen. The worm is multi-threaded. When it is run for the first time, it executes only one of its threads. This thread will install the worm to all available Windows directories on the local machine (WINDOWS, WIN95, WIN98, WIN and WINNT) as long as a WIN.INI file is found in the same directory. The worm copies itself as RPCSRV.EXE to all of these locations and modifies the WIN.INI file of each Windows directory to load the worm on next reboot. If the local machine is Windows NT or Windows 2000, the WIN.INI modification will not take place since NT systems will redirect the request to the registry instead. (This is the main installation procedure of the worm, and it is very similar to W32.ExploreZip worm in its working mechanism so far.) When the infected system is rebooted, the W32.CTX virus will look for new files to infect on the system first. When the worm is executed as RPCSRV.EXE, the message box will not be displayed, and three threads will be executed in parallel. The first thread is the local installation described above. On Windows 9x systems W32.Cholera registers itself as a service making the process hidden. On Windows NT systems the worm may not be noticed easily on the task list because there are many NT processes running with similar names such as TAPISRV.EXE and TPCHRSRV.EXE. The second thread of the worm enumerates the connected network resources and copies itself to the Windows directories of all network drives with the RPCSRV.EXE name and modifies the WIN.INI files of those directories to load itself on next reboot. The third thread of Cholera is a major one. This is the communication module of the worm. The tread enumerates the active windows (processes) and looks for names such as OUTLOOK, CUTEFTP, INTERNET EXPLO, TELNET, MIRC respectively. This is required to see if the computer is connected to the network, and if network activity will succeed. The worm gets the local SMTP server's address from the registry then starts to communicate with the server by using the necessary protocol. (First it sends a "HELO" message, etc.) This thread of W32.Cholera searches the local drive for .HTM, .TXT, .EML, .DBX, .MBX, .NCH, and .IDX files in order to find e-mail addresses. These files are used by E-mail software applications such as Outlook, Eudora, etc. The worm sends a MIME encoded attachment, SETUP.EXE, to the e-mail addresses found in those files. Trivia *Cholera/CTX is the only documented virus involved in the Simbiosis Project. *CTX was also a member of the "BioCoded" string of viruses. Category:29A Category:Microsoft Windows Category:Virus Category:Worm Category:Win32 Category:Win32 worm Category:Win32 virus